Closing the AI Execution Gap in Cybersecurity — A CISO Framework
Summary
The article explains that AI is now pervasive across IT and security, but many organisations — and CISOs in particular — are not ready for the scale and nuance of deployment. Omdia research shows widespread AI adoption yet low CISO preparedness, especially for agentic (semi-autonomous) systems. The authors set out five interdependent dimensions for CISOs to consider (cybersecurity with, by, for, against, and and AI) and give five practical recommendation areas to bridge the execution gap: readiness, governance, predictive security, protection of AI systems, and alignment with business goals.
Key Points
- AI adoption is widespread (93% of organisations using AI tools) but only ~14% of CISOs feel fully prepared to integrate AI into security operations.
- Omdia defines five dimensions of AI in cybersecurity: augmentation (with), automation (by), tooling to protect AI (for), defence against malicious AI (against), and strategy/governance (and).
- Organisations often run dozens of security tools; each tool may introduce AI-related risks or act as a data source, complicating integration and oversight.
- Top CISO concerns are data privacy and identity security (~70%); other barriers include skills shortages, ethical governance gaps and funding constraints.
- Practical CISO recommendations: prioritise readiness (training & infra), focus on governance and ethics, adopt predictive security capabilities, protect AI models and data, and align AI initiatives with business objectives.
- Agentic AI increases risk and complexity — human-in-the-loop controls and transparency are essential to maintain trust and safety.
- Failure to address all five dimensions risks missed opportunities and increased vulnerability as AI becomes embedded in mission-critical platforms.
Why should I read this?
Short version: if you care about keeping your organisation out of the headlines for the wrong reasons, read it. This piece gives a fast, practical framework for CISOs who are drowning in vendor hype but need clear priorities. It’s the kind of no-nonsense checklist you can use to push for training, governance and the right technical controls without getting lost in buzzwords.